r meant random as opposed to k which meant koblitz.
the koblitz curve had a and b coefficients like 0 and 1, but the r curves had a
and b derived from output of hash...
back in 2000 when SEC2 came out introducing these names (and OIDS) the attacks
on special curves (MOV and SASS attacks) were much more recent, and the r type
would avoid any similar attacks, if some were to follow. The idea that somebody
could search a million curves to find a 1-in-a-million weakness was known but
by comparison was a fantasy, so a much more remote threat. In 15 years, for
prime field ECC no new attacks have shown, so one can focus on more speculative
threats, and to choose better seeds, etc.
Original Message
From: Viktor Dukhovni
Sent: Thursday, July 16, 2015 12:45 AM
To: tls@ietf.org
Reply To: tls@ietf.org
Subject: Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1
On Thu, Jul 16, 2015 at 12:17:28AM -0400, Dave Garrett wrote:
> Side question: what is the meaning of the "r" in the naming convention we
> use? (e.g. secp521r1, & sect571r1 vs. sect571k1)
The "r" means that a mysterious seed can be used to "verify" that
the curve paramets are ("nothing up my sleeve") *r*andom.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
